1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * zoneadmd manages zones; one zoneadmd process is launched for each 29 * non-global zone on the system. This daemon juggles four jobs: 30 * 31 * - Implement setup and teardown of the zone "virtual platform": mount and 32 * unmount filesystems; create and destroy network interfaces; communicate 33 * with devfsadmd to lay out devices for the zone; instantiate the zone 34 * console device; configure process runtime attributes such as resource 35 * controls, pool bindings, fine-grained privileges. 36 * 37 * - Launch the zone's init(1M) process. 38 * 39 * - Implement a door server; clients (like zoneadm) connect to the door 40 * server and request zone state changes. The kernel is also a client of 41 * this door server. A request to halt or reboot the zone which originates 42 * *inside* the zone results in a door upcall from the kernel into zoneadmd. 43 * 44 * One minor problem is that messages emitted by zoneadmd need to be passed 45 * back to the zoneadm process making the request. These messages need to 46 * be rendered in the client's locale; so, this is passed in as part of the 47 * request. The exception is the kernel upcall to zoneadmd, in which case 48 * messages are syslog'd. 49 * 50 * To make all of this work, the Makefile adds -a to xgettext to extract *all* 51 * strings, and an exclusion file (zoneadmd.xcl) is used to exclude those 52 * strings which do not need to be translated. 53 * 54 * - Act as a console server for zlogin -C processes; see comments in zcons.c 55 * for more information about the zone console architecture. 56 * 57 * DESIGN NOTES 58 * 59 * Restart: 60 * A chief design constraint of zoneadmd is that it should be restartable in 61 * the case that the administrator kills it off, or it suffers a fatal error, 62 * without the running zone being impacted; this is akin to being able to 63 * reboot the service processor of a server without affecting the OS instance. 64 */ 65 66 #include <sys/param.h> 67 #include <sys/mman.h> 68 #include <sys/types.h> 69 #include <sys/stat.h> 70 #include <sys/sysmacros.h> 71 72 #include <bsm/adt.h> 73 #include <bsm/adt_event.h> 74 75 #include <alloca.h> 76 #include <assert.h> 77 #include <errno.h> 78 #include <door.h> 79 #include <fcntl.h> 80 #include <locale.h> 81 #include <signal.h> 82 #include <stdarg.h> 83 #include <stdio.h> 84 #include <stdlib.h> 85 #include <string.h> 86 #include <strings.h> 87 #include <synch.h> 88 #include <syslog.h> 89 #include <thread.h> 90 #include <unistd.h> 91 #include <wait.h> 92 #include <limits.h> 93 #include <zone.h> 94 #include <libbrand.h> 95 #include <sys/brand.h> 96 #include <libcontract.h> 97 #include <libcontract_priv.h> 98 #include <sys/brand.h> 99 #include <sys/contract/process.h> 100 #include <sys/ctfs.h> 101 #include <libdladm.h> 102 #include <sys/dls_mgmt.h> 103 104 #include <libzonecfg.h> 105 #include "zoneadmd.h" 106 107 static char *progname; 108 char *zone_name; /* zone which we are managing */ 109 char brand_name[MAXNAMELEN]; 110 boolean_t zone_isnative; 111 boolean_t zone_iscluster; 112 boolean_t zone_islabeled; 113 static zoneid_t zone_id; 114 dladm_handle_t dld_handle = NULL; 115 116 static char pre_statechg_hook[2 * MAXPATHLEN]; 117 static char post_statechg_hook[2 * MAXPATHLEN]; 118 char query_hook[2 * MAXPATHLEN]; 119 120 zlog_t logsys; 121 122 mutex_t lock = DEFAULTMUTEX; /* to serialize stuff */ 123 mutex_t msglock = DEFAULTMUTEX; /* for calling setlocale() */ 124 125 static sema_t scratch_sem; /* for scratch zones */ 126 127 static char zone_door_path[MAXPATHLEN]; 128 static int zone_door = -1; 129 130 boolean_t in_death_throes = B_FALSE; /* daemon is dying */ 131 boolean_t bringup_failure_recovery = B_FALSE; /* ignore certain failures */ 132 133 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */ 134 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */ 135 #endif 136 137 #define DEFAULT_LOCALE "C" 138 139 static const char * 140 z_cmd_name(zone_cmd_t zcmd) 141 { 142 /* This list needs to match the enum in sys/zone.h */ 143 static const char *zcmdstr[] = { 144 "ready", "boot", "forceboot", "reboot", "halt", 145 "note_uninstalling", "mount", "forcemount", "unmount" 146 }; 147 148 if (zcmd >= sizeof (zcmdstr) / sizeof (*zcmdstr)) 149 return ("unknown"); 150 else 151 return (zcmdstr[(int)zcmd]); 152 } 153 154 static char * 155 get_execbasename(char *execfullname) 156 { 157 char *last_slash, *execbasename; 158 159 /* guard against '/' at end of command invocation */ 160 for (;;) { 161 last_slash = strrchr(execfullname, '/'); 162 if (last_slash == NULL) { 163 execbasename = execfullname; 164 break; 165 } else { 166 execbasename = last_slash + 1; 167 if (*execbasename == '\0') { 168 *last_slash = '\0'; 169 continue; 170 } 171 break; 172 } 173 } 174 return (execbasename); 175 } 176 177 static void 178 usage(void) 179 { 180 (void) fprintf(stderr, gettext("Usage: %s -z zonename\n"), progname); 181 (void) fprintf(stderr, 182 gettext("\tNote: %s should not be run directly.\n"), progname); 183 exit(2); 184 } 185 186 /* ARGSUSED */ 187 static void 188 sigchld(int sig) 189 { 190 } 191 192 char * 193 localize_msg(char *locale, const char *msg) 194 { 195 char *out; 196 197 (void) mutex_lock(&msglock); 198 (void) setlocale(LC_MESSAGES, locale); 199 out = gettext(msg); 200 (void) setlocale(LC_MESSAGES, DEFAULT_LOCALE); 201 (void) mutex_unlock(&msglock); 202 return (out); 203 } 204 205 /* PRINTFLIKE3 */ 206 void 207 zerror(zlog_t *zlogp, boolean_t use_strerror, const char *fmt, ...) 208 { 209 va_list alist; 210 char buf[MAXPATHLEN * 2]; /* enough space for err msg with a path */ 211 char *bp; 212 int saved_errno = errno; 213 214 if (zlogp == NULL) 215 return; 216 if (zlogp == &logsys) 217 (void) snprintf(buf, sizeof (buf), "[zone '%s'] ", 218 zone_name); 219 else 220 buf[0] = '\0'; 221 bp = &(buf[strlen(buf)]); 222 223 /* 224 * In theory, the locale pointer should be set to either "C" or a 225 * char array, so it should never be NULL 226 */ 227 assert(zlogp->locale != NULL); 228 /* Locale is per process, but we are multi-threaded... */ 229 fmt = localize_msg(zlogp->locale, fmt); 230 231 va_start(alist, fmt); 232 (void) vsnprintf(bp, sizeof (buf) - (bp - buf), fmt, alist); 233 va_end(alist); 234 bp = &(buf[strlen(buf)]); 235 if (use_strerror) 236 (void) snprintf(bp, sizeof (buf) - (bp - buf), ": %s", 237 strerror(saved_errno)); 238 if (zlogp == &logsys) { 239 (void) syslog(LOG_ERR, "%s", buf); 240 } else if (zlogp->logfile != NULL) { 241 (void) fprintf(zlogp->logfile, "%s\n", buf); 242 } else { 243 size_t buflen; 244 size_t copylen; 245 246 buflen = snprintf(zlogp->log, zlogp->loglen, "%s\n", buf); 247 copylen = MIN(buflen, zlogp->loglen); 248 zlogp->log += copylen; 249 zlogp->loglen -= copylen; 250 } 251 } 252 253 /* 254 * Emit a warning for any boot arguments which are unrecognized. Since 255 * Solaris boot arguments are getopt(3c) compatible (see kernel(1m)), we 256 * put the arguments into an argv style array, use getopt to process them, 257 * and put the resultant argument string back into outargs. 258 * 259 * During the filtering, we pull out any arguments which are truly "boot" 260 * arguments, leaving only those which are to be passed intact to the 261 * progenitor process. The one we support at the moment is -i, which 262 * indicates to the kernel which program should be launched as 'init'. 263 * 264 * A return of Z_INVAL indicates specifically that the arguments are 265 * not valid; this is a non-fatal error. Except for Z_OK, all other return 266 * values are treated as fatal. 267 */ 268 static int 269 filter_bootargs(zlog_t *zlogp, const char *inargs, char *outargs, 270 char *init_file, char *badarg) 271 { 272 int argc = 0, argc_save; 273 int i; 274 int err; 275 char *arg, *lasts, **argv = NULL, **argv_save; 276 char zonecfg_args[BOOTARGS_MAX]; 277 char scratchargs[BOOTARGS_MAX], *sargs; 278 char c; 279 280 bzero(outargs, BOOTARGS_MAX); 281 bzero(badarg, BOOTARGS_MAX); 282 283 /* 284 * If the user didn't specify transient boot arguments, check 285 * to see if there were any specified in the zone configuration, 286 * and use them if applicable. 287 */ 288 if (inargs == NULL || inargs[0] == '\0') { 289 zone_dochandle_t handle; 290 if ((handle = zonecfg_init_handle()) == NULL) { 291 zerror(zlogp, B_TRUE, 292 "getting zone configuration handle"); 293 return (Z_BAD_HANDLE); 294 } 295 err = zonecfg_get_snapshot_handle(zone_name, handle); 296 if (err != Z_OK) { 297 zerror(zlogp, B_FALSE, 298 "invalid configuration snapshot"); 299 zonecfg_fini_handle(handle); 300 return (Z_BAD_HANDLE); 301 } 302 303 bzero(zonecfg_args, sizeof (zonecfg_args)); 304 (void) zonecfg_get_bootargs(handle, zonecfg_args, 305 sizeof (zonecfg_args)); 306 inargs = zonecfg_args; 307 zonecfg_fini_handle(handle); 308 } 309 310 if (strlen(inargs) >= BOOTARGS_MAX) { 311 zerror(zlogp, B_FALSE, "boot argument string too long"); 312 return (Z_INVAL); 313 } 314 315 (void) strlcpy(scratchargs, inargs, sizeof (scratchargs)); 316 sargs = scratchargs; 317 while ((arg = strtok_r(sargs, " \t", &lasts)) != NULL) { 318 sargs = NULL; 319 argc++; 320 } 321 322 if ((argv = calloc(argc + 1, sizeof (char *))) == NULL) { 323 zerror(zlogp, B_FALSE, "memory allocation failed"); 324 return (Z_NOMEM); 325 } 326 327 argv_save = argv; 328 argc_save = argc; 329 330 (void) strlcpy(scratchargs, inargs, sizeof (scratchargs)); 331 sargs = scratchargs; 332 i = 0; 333 while ((arg = strtok_r(sargs, " \t", &lasts)) != NULL) { 334 sargs = NULL; 335 if ((argv[i] = strdup(arg)) == NULL) { 336 err = Z_NOMEM; 337 zerror(zlogp, B_FALSE, "memory allocation failed"); 338 goto done; 339 } 340 i++; 341 } 342 343 /* 344 * We preserve compatibility with the Solaris system boot behavior, 345 * which allows: 346 * 347 * # reboot kernel/unix -s -m verbose 348 * 349 * In this example, kernel/unix tells the booter what file to 350 * boot. We don't want reboot in a zone to be gratuitously different, 351 * so we silently ignore the boot file, if necessary. 352 */ 353 if (argv[0] == NULL) 354 goto done; 355 356 assert(argv[0][0] != ' '); 357 assert(argv[0][0] != '\t'); 358 359 if (argv[0][0] != '-' && argv[0][0] != '\0') { 360 argv = &argv[1]; 361 argc--; 362 } 363 364 optind = 0; 365 opterr = 0; 366 err = Z_OK; 367 while ((c = getopt(argc, argv, "fi:m:s")) != -1) { 368 switch (c) { 369 case 'i': 370 /* 371 * -i is handled by the runtime and is not passed 372 * along to userland 373 */ 374 (void) strlcpy(init_file, optarg, MAXPATHLEN); 375 break; 376 case 'f': 377 /* This has already been processed by zoneadm */ 378 break; 379 case 'm': 380 case 's': 381 /* These pass through unmolested */ 382 (void) snprintf(outargs, BOOTARGS_MAX, 383 "%s -%c %s ", outargs, c, optarg ? optarg : ""); 384 break; 385 case '?': 386 /* 387 * We warn about unknown arguments but pass them 388 * along anyway-- if someone wants to develop their 389 * own init replacement, they can pass it whatever 390 * args they want. 391 */ 392 err = Z_INVAL; 393 (void) snprintf(outargs, BOOTARGS_MAX, 394 "%s -%c", outargs, optopt); 395 (void) snprintf(badarg, BOOTARGS_MAX, 396 "%s -%c", badarg, optopt); 397 break; 398 } 399 } 400 401 /* 402 * For Solaris Zones we warn about and discard non-option arguments. 403 * Hence 'boot foo bar baz gub' --> 'boot'. However, to be similar 404 * to the kernel, we concat up all the other remaining boot args. 405 * and warn on them as a group. 406 */ 407 if (optind < argc) { 408 err = Z_INVAL; 409 while (optind < argc) { 410 (void) snprintf(badarg, BOOTARGS_MAX, "%s%s%s", 411 badarg, strlen(badarg) > 0 ? " " : "", 412 argv[optind]); 413 optind++; 414 } 415 zerror(zlogp, B_FALSE, "WARNING: Unused or invalid boot " 416 "arguments `%s'.", badarg); 417 } 418 419 done: 420 for (i = 0; i < argc_save; i++) { 421 if (argv_save[i] != NULL) 422 free(argv_save[i]); 423 } 424 free(argv_save); 425 return (err); 426 } 427 428 429 static int 430 mkzonedir(zlog_t *zlogp) 431 { 432 struct stat st; 433 /* 434 * We must create and lock everyone but root out of ZONES_TMPDIR 435 * since anyone can open any UNIX domain socket, regardless of 436 * its file system permissions. Sigh... 437 */ 438 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) { 439 zerror(zlogp, B_TRUE, "could not mkdir '%s'", ZONES_TMPDIR); 440 return (-1); 441 } 442 /* paranoia */ 443 if ((stat(ZONES_TMPDIR, &st) < 0) || !S_ISDIR(st.st_mode)) { 444 zerror(zlogp, B_TRUE, "'%s' is not a directory", ZONES_TMPDIR); 445 return (-1); 446 } 447 (void) chmod(ZONES_TMPDIR, S_IRWXU); 448 return (0); 449 } 450 451 /* 452 * Run the brand's pre-state change callback, if it exists. 453 */ 454 static int 455 brand_prestatechg(zlog_t *zlogp, int state, int cmd) 456 { 457 char cmdbuf[2 * MAXPATHLEN]; 458 459 if (pre_statechg_hook[0] == '\0') 460 return (0); 461 462 if (snprintf(cmdbuf, sizeof (cmdbuf), "%s %d %d", pre_statechg_hook, 463 state, cmd) > sizeof (cmdbuf)) 464 return (-1); 465 466 if (do_subproc(zlogp, cmdbuf, NULL) != 0) 467 return (-1); 468 469 return (0); 470 } 471 472 /* 473 * Run the brand's post-state change callback, if it exists. 474 */ 475 static int 476 brand_poststatechg(zlog_t *zlogp, int state, int cmd) 477 { 478 char cmdbuf[2 * MAXPATHLEN]; 479 480 if (post_statechg_hook[0] == '\0') 481 return (0); 482 483 if (snprintf(cmdbuf, sizeof (cmdbuf), "%s %d %d", post_statechg_hook, 484 state, cmd) > sizeof (cmdbuf)) 485 return (-1); 486 487 if (do_subproc(zlogp, cmdbuf, NULL) != 0) 488 return (-1); 489 490 return (0); 491 } 492 493 /* 494 * Bring a zone up to the pre-boot "ready" stage. The mount_cmd argument is 495 * 'true' if this is being invoked as part of the processing for the "mount" 496 * subcommand. 497 */ 498 static int 499 zone_ready(zlog_t *zlogp, zone_mnt_t mount_cmd, int zstate) 500 { 501 int err; 502 503 if (brand_prestatechg(zlogp, zstate, Z_READY) != 0) 504 return (-1); 505 506 if ((err = zonecfg_create_snapshot(zone_name)) != Z_OK) { 507 zerror(zlogp, B_FALSE, "unable to create snapshot: %s", 508 zonecfg_strerror(err)); 509 goto bad; 510 } 511 512 if ((zone_id = vplat_create(zlogp, mount_cmd)) == -1) { 513 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK) 514 zerror(zlogp, B_FALSE, "destroying snapshot: %s", 515 zonecfg_strerror(err)); 516 goto bad; 517 } 518 if (vplat_bringup(zlogp, mount_cmd, zone_id) != 0) { 519 bringup_failure_recovery = B_TRUE; 520 (void) vplat_teardown(NULL, (mount_cmd != Z_MNT_BOOT), B_FALSE); 521 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK) 522 zerror(zlogp, B_FALSE, "destroying snapshot: %s", 523 zonecfg_strerror(err)); 524 goto bad; 525 } 526 527 if (brand_poststatechg(zlogp, zstate, Z_READY) != 0) 528 goto bad; 529 530 return (0); 531 532 bad: 533 /* 534 * If something goes wrong, we up the zones's state to the target 535 * state, READY, and then invoke the hook as if we're halting. 536 */ 537 (void) brand_poststatechg(zlogp, ZONE_STATE_READY, Z_HALT); 538 return (-1); 539 } 540 541 int 542 init_template(void) 543 { 544 int fd; 545 int err = 0; 546 547 fd = open64(CTFS_ROOT "/process/template", O_RDWR); 548 if (fd == -1) 549 return (-1); 550 551 /* 552 * For now, zoneadmd doesn't do anything with the contract. 553 * Deliver no events, don't inherit, and allow it to be orphaned. 554 */ 555 err |= ct_tmpl_set_critical(fd, 0); 556 err |= ct_tmpl_set_informative(fd, 0); 557 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR); 558 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT); 559 if (err || ct_tmpl_activate(fd)) { 560 (void) close(fd); 561 return (-1); 562 } 563 564 return (fd); 565 } 566 567 typedef struct fs_callback { 568 zlog_t *zlogp; 569 zoneid_t zoneid; 570 boolean_t mount_cmd; 571 } fs_callback_t; 572 573 static int 574 mount_early_fs(void *data, const char *spec, const char *dir, 575 const char *fstype, const char *opt) 576 { 577 zlog_t *zlogp = ((fs_callback_t *)data)->zlogp; 578 zoneid_t zoneid = ((fs_callback_t *)data)->zoneid; 579 boolean_t mount_cmd = ((fs_callback_t *)data)->mount_cmd; 580 char rootpath[MAXPATHLEN]; 581 pid_t child; 582 int child_status; 583 int tmpl_fd; 584 int rv; 585 ctid_t ct; 586 587 /* determine the zone rootpath */ 588 if (mount_cmd) { 589 char zonepath[MAXPATHLEN]; 590 char luroot[MAXPATHLEN]; 591 592 if (zone_get_zonepath(zone_name, 593 zonepath, sizeof (zonepath)) != Z_OK) { 594 zerror(zlogp, B_FALSE, "unable to determine zone path"); 595 return (-1); 596 } 597 598 (void) snprintf(luroot, sizeof (luroot), "%s/lu", zonepath); 599 resolve_lofs(zlogp, luroot, sizeof (luroot)); 600 (void) strlcpy(rootpath, luroot, sizeof (rootpath)); 601 } else { 602 if (zone_get_rootpath(zone_name, 603 rootpath, sizeof (rootpath)) != Z_OK) { 604 zerror(zlogp, B_FALSE, "unable to determine zone root"); 605 return (-1); 606 } 607 } 608 609 if ((rv = valid_mount_path(zlogp, rootpath, spec, dir, fstype)) < 0) { 610 zerror(zlogp, B_FALSE, "%s%s is not a valid mount point", 611 rootpath, dir); 612 return (-1); 613 } else if (rv > 0) { 614 /* The mount point path doesn't exist, create it now. */ 615 if (make_one_dir(zlogp, rootpath, dir, 616 DEFAULT_DIR_MODE, DEFAULT_DIR_USER, 617 DEFAULT_DIR_GROUP) != 0) { 618 zerror(zlogp, B_FALSE, "failed to create mount point"); 619 return (-1); 620 } 621 622 /* 623 * Now this might seem weird, but we need to invoke 624 * valid_mount_path() again. Why? Because it checks 625 * to make sure that the mount point path is canonical, 626 * which it can only do if the path exists, so now that 627 * we've created the path we have to verify it again. 628 */ 629 if ((rv = valid_mount_path(zlogp, rootpath, spec, dir, 630 fstype)) < 0) { 631 zerror(zlogp, B_FALSE, 632 "%s%s is not a valid mount point", rootpath, dir); 633 return (-1); 634 } 635 } 636 637 if ((tmpl_fd = init_template()) == -1) { 638 zerror(zlogp, B_TRUE, "failed to create contract"); 639 return (-1); 640 } 641 642 if ((child = fork()) == -1) { 643 (void) ct_tmpl_clear(tmpl_fd); 644 (void) close(tmpl_fd); 645 zerror(zlogp, B_TRUE, "failed to fork"); 646 return (-1); 647 648 } else if (child == 0) { /* child */ 649 char opt_buf[MAX_MNTOPT_STR]; 650 int optlen = 0; 651 int mflag = MS_DATA; 652 653 (void) ct_tmpl_clear(tmpl_fd); 654 /* 655 * Even though there are no procs running in the zone, we 656 * do this for paranoia's sake. 657 */ 658 (void) closefrom(0); 659 660 if (zone_enter(zoneid) == -1) { 661 _exit(errno); 662 } 663 if (opt != NULL) { 664 /* 665 * The mount() system call is incredibly annoying. 666 * If options are specified, we need to copy them 667 * into a temporary buffer since the mount() system 668 * call will overwrite the options string. It will 669 * also fail if the new option string it wants to 670 * write is bigger than the one we passed in, so 671 * you must pass in a buffer of the maximum possible 672 * option string length. sigh. 673 */ 674 (void) strlcpy(opt_buf, opt, sizeof (opt_buf)); 675 opt = opt_buf; 676 optlen = MAX_MNTOPT_STR; 677 mflag = MS_OPTIONSTR; 678 } 679 if (mount(spec, dir, mflag, fstype, NULL, 0, opt, optlen) != 0) 680 _exit(errno); 681 _exit(0); 682 } 683 684 /* parent */ 685 if (contract_latest(&ct) == -1) 686 ct = -1; 687 (void) ct_tmpl_clear(tmpl_fd); 688 (void) close(tmpl_fd); 689 if (waitpid(child, &child_status, 0) != child) { 690 /* unexpected: we must have been signalled */ 691 (void) contract_abandon_id(ct); 692 return (-1); 693 } 694 (void) contract_abandon_id(ct); 695 if (WEXITSTATUS(child_status) != 0) { 696 errno = WEXITSTATUS(child_status); 697 zerror(zlogp, B_TRUE, "mount of %s failed", dir); 698 return (-1); 699 } 700 701 return (0); 702 } 703 704 /* 705 * If retstr is not NULL, the output of the subproc is returned in the str, 706 * otherwise it is output using zerror(). Any memory allocated for retstr 707 * should be freed by the caller. 708 */ 709 int 710 do_subproc(zlog_t *zlogp, char *cmdbuf, char **retstr) 711 { 712 char buf[1024]; /* arbitrary large amount */ 713 char *inbuf; 714 FILE *file; 715 int status; 716 int rd_cnt; 717 718 if (retstr != NULL) { 719 if ((*retstr = malloc(1024)) == NULL) { 720 zerror(zlogp, B_FALSE, "out of memory"); 721 return (-1); 722 } 723 inbuf = *retstr; 724 rd_cnt = 0; 725 } else { 726 inbuf = buf; 727 } 728 729 file = popen(cmdbuf, "r"); 730 if (file == NULL) { 731 zerror(zlogp, B_TRUE, "could not launch: %s", cmdbuf); 732 return (-1); 733 } 734 735 while (fgets(inbuf, 1024, file) != NULL) { 736 if (retstr == NULL) { 737 if (zlogp != &logsys) 738 zerror(zlogp, B_FALSE, "%s", inbuf); 739 } else { 740 char *p; 741 742 rd_cnt += 1024 - 1; 743 if ((p = realloc(*retstr, rd_cnt + 1024)) == NULL) { 744 zerror(zlogp, B_FALSE, "out of memory"); 745 (void) pclose(file); 746 return (-1); 747 } 748 749 *retstr = p; 750 inbuf = *retstr + rd_cnt; 751 } 752 } 753 status = pclose(file); 754 755 if (WIFSIGNALED(status)) { 756 zerror(zlogp, B_FALSE, "%s unexpectedly terminated due to " 757 "signal %d", cmdbuf, WTERMSIG(status)); 758 return (-1); 759 } 760 assert(WIFEXITED(status)); 761 if (WEXITSTATUS(status) == ZEXIT_EXEC) { 762 zerror(zlogp, B_FALSE, "failed to exec %s", cmdbuf); 763 return (-1); 764 } 765 return (WEXITSTATUS(status)); 766 } 767 768 static int 769 zone_bootup(zlog_t *zlogp, const char *bootargs, int zstate) 770 { 771 zoneid_t zoneid; 772 struct stat st; 773 char zpath[MAXPATHLEN], initpath[MAXPATHLEN], init_file[MAXPATHLEN]; 774 char nbootargs[BOOTARGS_MAX]; 775 char cmdbuf[MAXPATHLEN]; 776 fs_callback_t cb; 777 brand_handle_t bh; 778 zone_iptype_t iptype; 779 boolean_t links_loaded = B_FALSE; 780 dladm_status_t status; 781 char errmsg[DLADM_STRSIZE]; 782 int err; 783 784 if (brand_prestatechg(zlogp, zstate, Z_BOOT) != 0) 785 return (-1); 786 787 if ((zoneid = getzoneidbyname(zone_name)) == -1) { 788 zerror(zlogp, B_TRUE, "unable to get zoneid"); 789 goto bad; 790 } 791 792 cb.zlogp = zlogp; 793 cb.zoneid = zoneid; 794 cb.mount_cmd = B_FALSE; 795 796 /* Get a handle to the brand info for this zone */ 797 if ((bh = brand_open(brand_name)) == NULL) { 798 zerror(zlogp, B_FALSE, "unable to determine zone brand"); 799 goto bad; 800 } 801 802 /* 803 * Get the list of filesystems to mount from the brand 804 * configuration. These mounts are done via a thread that will 805 * enter the zone, so they are done from within the context of the 806 * zone. 807 */ 808 if (brand_platform_iter_mounts(bh, mount_early_fs, &cb) != 0) { 809 zerror(zlogp, B_FALSE, "unable to mount filesystems"); 810 brand_close(bh); 811 goto bad; 812 } 813 814 /* 815 * Get the brand's boot callback if it exists. 816 */ 817 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) { 818 zerror(zlogp, B_FALSE, "unable to determine zone path"); 819 brand_close(bh); 820 goto bad; 821 } 822 (void) strcpy(cmdbuf, EXEC_PREFIX); 823 if (brand_get_boot(bh, zone_name, zpath, cmdbuf + EXEC_LEN, 824 sizeof (cmdbuf) - EXEC_LEN) != 0) { 825 zerror(zlogp, B_FALSE, 826 "unable to determine branded zone's boot callback"); 827 brand_close(bh); 828 goto bad; 829 } 830 831 /* Get the path for this zone's init(1M) (or equivalent) process. */ 832 if (brand_get_initname(bh, init_file, MAXPATHLEN) != 0) { 833 zerror(zlogp, B_FALSE, 834 "unable to determine zone's init(1M) location"); 835 brand_close(bh); 836 goto bad; 837 } 838 839 brand_close(bh); 840 841 err = filter_bootargs(zlogp, bootargs, nbootargs, init_file, 842 bad_boot_arg); 843 if (err == Z_INVAL) 844 eventstream_write(Z_EVT_ZONE_BADARGS); 845 else if (err != Z_OK) 846 goto bad; 847 848 assert(init_file[0] != '\0'); 849 850 /* Try to anticipate possible problems: Make sure init is executable. */ 851 if (zone_get_rootpath(zone_name, zpath, sizeof (zpath)) != Z_OK) { 852 zerror(zlogp, B_FALSE, "unable to determine zone root"); 853 goto bad; 854 } 855 856 (void) snprintf(initpath, sizeof (initpath), "%s%s", zpath, init_file); 857 858 if (stat(initpath, &st) == -1) { 859 zerror(zlogp, B_TRUE, "could not stat %s", initpath); 860 goto bad; 861 } 862 863 if ((st.st_mode & S_IXUSR) == 0) { 864 zerror(zlogp, B_FALSE, "%s is not executable", initpath); 865 goto bad; 866 } 867 868 /* 869 * Exclusive stack zones interact with the dlmgmtd running in the 870 * global zone. dladm_zone_boot() tells dlmgmtd that this zone is 871 * booting, and loads its datalinks from the zone's datalink 872 * configuration file. 873 */ 874 if (vplat_get_iptype(zlogp, &iptype) == 0 && iptype == ZS_EXCLUSIVE) { 875 status = dladm_zone_boot(dld_handle, zoneid); 876 if (status != DLADM_STATUS_OK) { 877 zerror(zlogp, B_FALSE, "unable to load zone datalinks: " 878 " %s", dladm_status2str(status, errmsg)); 879 goto bad; 880 } 881 links_loaded = B_TRUE; 882 } 883 884 /* 885 * If there is a brand 'boot' callback, execute it now to give the 886 * brand one last chance to do any additional setup before the zone 887 * is booted. 888 */ 889 if ((strlen(cmdbuf) > EXEC_LEN) && 890 (do_subproc(zlogp, cmdbuf, NULL) != Z_OK)) { 891 zerror(zlogp, B_FALSE, "%s failed", cmdbuf); 892 goto bad; 893 } 894 895 if (zone_setattr(zoneid, ZONE_ATTR_INITNAME, init_file, 0) == -1) { 896 zerror(zlogp, B_TRUE, "could not set zone boot file"); 897 goto bad; 898 } 899 900 if (zone_setattr(zoneid, ZONE_ATTR_BOOTARGS, nbootargs, 0) == -1) { 901 zerror(zlogp, B_TRUE, "could not set zone boot arguments"); 902 goto bad; 903 } 904 905 if (zone_boot(zoneid) == -1) { 906 zerror(zlogp, B_TRUE, "unable to boot zone"); 907 goto bad; 908 } 909 910 if (brand_poststatechg(zlogp, zstate, Z_BOOT) != 0) 911 goto bad; 912 913 return (0); 914 915 bad: 916 /* 917 * If something goes wrong, we up the zones's state to the target 918 * state, RUNNING, and then invoke the hook as if we're halting. 919 */ 920 (void) brand_poststatechg(zlogp, ZONE_STATE_RUNNING, Z_HALT); 921 if (links_loaded) 922 (void) dladm_zone_halt(dld_handle, zoneid); 923 return (-1); 924 } 925 926 static int 927 zone_halt(zlog_t *zlogp, boolean_t unmount_cmd, boolean_t rebooting, int zstate) 928 { 929 int err; 930 931 if (brand_prestatechg(zlogp, zstate, Z_HALT) != 0) 932 return (-1); 933 934 if (vplat_teardown(zlogp, unmount_cmd, rebooting) != 0) { 935 if (!bringup_failure_recovery) 936 zerror(zlogp, B_FALSE, "unable to destroy zone"); 937 return (-1); 938 } 939 940 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK) 941 zerror(zlogp, B_FALSE, "destroying snapshot: %s", 942 zonecfg_strerror(err)); 943 944 if (brand_poststatechg(zlogp, zstate, Z_HALT) != 0) 945 return (-1); 946 947 return (0); 948 } 949 950 /* 951 * Generate AUE_zone_state for a command that boots a zone. 952 */ 953 static void 954 audit_put_record(zlog_t *zlogp, ucred_t *uc, int return_val, 955 char *new_state) 956 { 957 adt_session_data_t *ah; 958 adt_event_data_t *event; 959 int pass_fail, fail_reason; 960 961 if (!adt_audit_enabled()) 962 return; 963 964 if (return_val == 0) { 965 pass_fail = ADT_SUCCESS; 966 fail_reason = ADT_SUCCESS; 967 } else { 968 pass_fail = ADT_FAILURE; 969 fail_reason = ADT_FAIL_VALUE_PROGRAM; 970 } 971 972 if (adt_start_session(&ah, NULL, 0)) { 973 zerror(zlogp, B_TRUE, gettext("audit failure.")); 974 return; 975 } 976 if (adt_set_from_ucred(ah, uc, ADT_NEW)) { 977 zerror(zlogp, B_TRUE, gettext("audit failure.")); 978 (void) adt_end_session(ah); 979 return; 980 } 981 982 event = adt_alloc_event(ah, ADT_zone_state); 983 if (event == NULL) { 984 zerror(zlogp, B_TRUE, gettext("audit failure.")); 985 (void) adt_end_session(ah); 986 return; 987 } 988 event->adt_zone_state.zonename = zone_name; 989 event->adt_zone_state.new_state = new_state; 990 991 if (adt_put_event(event, pass_fail, fail_reason)) 992 zerror(zlogp, B_TRUE, gettext("audit failure.")); 993 994 adt_free_event(event); 995 996 (void) adt_end_session(ah); 997 } 998 999 /* 1000 * The main routine for the door server that deals with zone state transitions. 1001 */ 1002 /* ARGSUSED */ 1003 static void 1004 server(void *cookie, char *args, size_t alen, door_desc_t *dp, 1005 uint_t n_desc) 1006 { 1007 ucred_t *uc = NULL; 1008 const priv_set_t *eset; 1009 1010 zone_state_t zstate; 1011 zone_cmd_t cmd; 1012 zone_cmd_arg_t *zargp; 1013 1014 boolean_t kernelcall; 1015 1016 int rval = -1; 1017 uint64_t uniqid; 1018 zoneid_t zoneid = -1; 1019 zlog_t zlog; 1020 zlog_t *zlogp; 1021 zone_cmd_rval_t *rvalp; 1022 size_t rlen = getpagesize(); /* conservative */ 1023 fs_callback_t cb; 1024 brand_handle_t bh; 1025 1026 /* LINTED E_BAD_PTR_CAST_ALIGN */ 1027 zargp = (zone_cmd_arg_t *)args; 1028 1029 /* 1030 * When we get the door unref message, we've fdetach'd the door, and 1031 * it is time for us to shut down zoneadmd. 1032 */ 1033 if (zargp == DOOR_UNREF_DATA) { 1034 /* 1035 * See comment at end of main() for info on the last rites. 1036 */ 1037 exit(0); 1038 } 1039 1040 if (zargp == NULL) { 1041 (void) door_return(NULL, 0, 0, 0); 1042 } 1043 1044 rvalp = alloca(rlen); 1045 bzero(rvalp, rlen); 1046 zlog.logfile = NULL; 1047 zlog.buflen = zlog.loglen = rlen - sizeof (zone_cmd_rval_t) + 1; 1048 zlog.buf = rvalp->errbuf; 1049 zlog.log = zlog.buf; 1050 /* defer initialization of zlog.locale until after credential check */ 1051 zlogp = &zlog; 1052 1053 if (alen != sizeof (zone_cmd_arg_t)) { 1054 /* 1055 * This really shouldn't be happening. 1056 */ 1057 zerror(&logsys, B_FALSE, "argument size (%d bytes) " 1058 "unexpected (expected %d bytes)", alen, 1059 sizeof (zone_cmd_arg_t)); 1060 goto out; 1061 } 1062 cmd = zargp->cmd; 1063 1064 if (door_ucred(&uc) != 0) { 1065 zerror(&logsys, B_TRUE, "door_ucred"); 1066 goto out; 1067 } 1068 eset = ucred_getprivset(uc, PRIV_EFFECTIVE); 1069 if (ucred_getzoneid(uc) != GLOBAL_ZONEID || 1070 (eset != NULL ? !priv_ismember(eset, PRIV_SYS_CONFIG) : 1071 ucred_geteuid(uc) != 0)) { 1072 zerror(&logsys, B_FALSE, "insufficient privileges"); 1073 goto out; 1074 } 1075 1076 kernelcall = ucred_getpid(uc) == 0; 1077 1078 /* 1079 * This is safe because we only use a zlog_t throughout the 1080 * duration of a door call; i.e., by the time the pointer 1081 * might become invalid, the door call would be over. 1082 */ 1083 zlog.locale = kernelcall ? DEFAULT_LOCALE : zargp->locale; 1084 1085 (void) mutex_lock(&lock); 1086 1087 /* 1088 * Once we start to really die off, we don't want more connections. 1089 */ 1090 if (in_death_throes) { 1091 (void) mutex_unlock(&lock); 1092 ucred_free(uc); 1093 (void) door_return(NULL, 0, 0, 0); 1094 thr_exit(NULL); 1095 } 1096 1097 /* 1098 * Check for validity of command. 1099 */ 1100 if (cmd != Z_READY && cmd != Z_BOOT && cmd != Z_FORCEBOOT && 1101 cmd != Z_REBOOT && cmd != Z_HALT && cmd != Z_NOTE_UNINSTALLING && 1102 cmd != Z_MOUNT && cmd != Z_FORCEMOUNT && cmd != Z_UNMOUNT) { 1103 zerror(&logsys, B_FALSE, "invalid command %d", (int)cmd); 1104 goto out; 1105 } 1106 1107 if (kernelcall && (cmd != Z_HALT && cmd != Z_REBOOT)) { 1108 /* 1109 * Can't happen 1110 */ 1111 zerror(&logsys, B_FALSE, "received unexpected kernel upcall %d", 1112 cmd); 1113 goto out; 1114 } 1115 /* 1116 * We ignore the possibility of someone calling zone_create(2) 1117 * explicitly; all requests must come through zoneadmd. 1118 */ 1119 if (zone_get_state(zone_name, &zstate) != Z_OK) { 1120 /* 1121 * Something terribly wrong happened 1122 */ 1123 zerror(&logsys, B_FALSE, "unable to determine state of zone"); 1124 goto out; 1125 } 1126 1127 if (kernelcall) { 1128 /* 1129 * Kernel-initiated requests may lose their validity if the 1130 * zone_t the kernel was referring to has gone away. 1131 */ 1132 if ((zoneid = getzoneidbyname(zone_name)) == -1 || 1133 zone_getattr(zoneid, ZONE_ATTR_UNIQID, &uniqid, 1134 sizeof (uniqid)) == -1 || uniqid != zargp->uniqid) { 1135 /* 1136 * We're not talking about the same zone. The request 1137 * must have arrived too late. Return error. 1138 */ 1139 rval = -1; 1140 goto out; 1141 } 1142 zlogp = &logsys; /* Log errors to syslog */ 1143 } 1144 1145 /* 1146 * If we are being asked to forcibly mount or boot a zone, we 1147 * pretend that an INCOMPLETE zone is actually INSTALLED. 1148 */ 1149 if (zstate == ZONE_STATE_INCOMPLETE && 1150 (cmd == Z_FORCEBOOT || cmd == Z_FORCEMOUNT)) 1151 zstate = ZONE_STATE_INSTALLED; 1152 1153 switch (zstate) { 1154 case ZONE_STATE_CONFIGURED: 1155 case ZONE_STATE_INCOMPLETE: 1156 /* 1157 * Not our area of expertise; we just print a nice message 1158 * and die off. 1159 */ 1160 zerror(zlogp, B_FALSE, 1161 "%s operation is invalid for zones in state '%s'", 1162 z_cmd_name(cmd), zone_state_str(zstate)); 1163 break; 1164 1165 case ZONE_STATE_INSTALLED: 1166 switch (cmd) { 1167 case Z_READY: 1168 rval = zone_ready(zlogp, Z_MNT_BOOT, zstate); 1169 if (rval == 0) 1170 eventstream_write(Z_EVT_ZONE_READIED); 1171 break; 1172 case Z_BOOT: 1173 case Z_FORCEBOOT: 1174 eventstream_write(Z_EVT_ZONE_BOOTING); 1175 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) 1176 == 0) { 1177 rval = zone_bootup(zlogp, zargp->bootbuf, 1178 zstate); 1179 } 1180 audit_put_record(zlogp, uc, rval, "boot"); 1181 if (rval != 0) { 1182 bringup_failure_recovery = B_TRUE; 1183 (void) zone_halt(zlogp, B_FALSE, B_FALSE, 1184 zstate); 1185 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1186 } 1187 break; 1188 case Z_HALT: 1189 if (kernelcall) /* Invalid; can't happen */ 1190 abort(); 1191 /* 1192 * We could have two clients racing to halt this 1193 * zone; the second client loses, but his request 1194 * doesn't fail, since the zone is now in the desired 1195 * state. 1196 */ 1197 zerror(zlogp, B_FALSE, "zone is already halted"); 1198 rval = 0; 1199 break; 1200 case Z_REBOOT: 1201 if (kernelcall) /* Invalid; can't happen */ 1202 abort(); 1203 zerror(zlogp, B_FALSE, "%s operation is invalid " 1204 "for zones in state '%s'", z_cmd_name(cmd), 1205 zone_state_str(zstate)); 1206 rval = -1; 1207 break; 1208 case Z_NOTE_UNINSTALLING: 1209 if (kernelcall) /* Invalid; can't happen */ 1210 abort(); 1211 /* 1212 * Tell the console to print out a message about this. 1213 * Once it does, we will be in_death_throes. 1214 */ 1215 eventstream_write(Z_EVT_ZONE_UNINSTALLING); 1216 break; 1217 case Z_MOUNT: 1218 case Z_FORCEMOUNT: 1219 if (kernelcall) /* Invalid; can't happen */ 1220 abort(); 1221 if (!zone_isnative && !zone_iscluster && 1222 !zone_islabeled) { 1223 /* 1224 * -U mounts the zone without lofs mounting 1225 * zone file systems back into the scratch 1226 * zone. This is required when mounting 1227 * non-native branded zones. 1228 */ 1229 (void) strlcpy(zargp->bootbuf, "-U", 1230 BOOTARGS_MAX); 1231 } 1232 1233 rval = zone_ready(zlogp, 1234 strcmp(zargp->bootbuf, "-U") == 0 ? 1235 Z_MNT_UPDATE : Z_MNT_SCRATCH, zstate); 1236 if (rval != 0) 1237 break; 1238 1239 eventstream_write(Z_EVT_ZONE_READIED); 1240 1241 /* 1242 * Get a handle to the native brand info. 1243 * We must always use the native brand file system 1244 * list when mounting the zone. 1245 */ 1246 if ((bh = brand_open(NATIVE_BRAND_NAME)) == NULL) { 1247 rval = -1; 1248 break; 1249 } 1250 1251 /* 1252 * Get the list of filesystems to mount from 1253 * the brand configuration. These mounts are done 1254 * via a thread that will enter the zone, so they 1255 * are done from within the context of the zone. 1256 */ 1257 cb.zlogp = zlogp; 1258 cb.zoneid = zone_id; 1259 cb.mount_cmd = B_TRUE; 1260 rval = brand_platform_iter_mounts(bh, 1261 mount_early_fs, &cb); 1262 1263 brand_close(bh); 1264 1265 /* 1266 * Ordinarily, /dev/fd would be mounted inside the zone 1267 * by svc:/system/filesystem/usr:default, but since 1268 * we're not booting the zone, we need to do this 1269 * manually. 1270 */ 1271 if (rval == 0) 1272 rval = mount_early_fs(&cb, 1273 "fd", "/dev/fd", "fd", NULL); 1274 break; 1275 case Z_UNMOUNT: 1276 if (kernelcall) /* Invalid; can't happen */ 1277 abort(); 1278 zerror(zlogp, B_FALSE, "zone is already unmounted"); 1279 rval = 0; 1280 break; 1281 } 1282 break; 1283 1284 case ZONE_STATE_READY: 1285 switch (cmd) { 1286 case Z_READY: 1287 /* 1288 * We could have two clients racing to ready this 1289 * zone; the second client loses, but his request 1290 * doesn't fail, since the zone is now in the desired 1291 * state. 1292 */ 1293 zerror(zlogp, B_FALSE, "zone is already ready"); 1294 rval = 0; 1295 break; 1296 case Z_BOOT: 1297 (void) strlcpy(boot_args, zargp->bootbuf, 1298 sizeof (boot_args)); 1299 eventstream_write(Z_EVT_ZONE_BOOTING); 1300 rval = zone_bootup(zlogp, zargp->bootbuf, zstate); 1301 audit_put_record(zlogp, uc, rval, "boot"); 1302 if (rval != 0) { 1303 bringup_failure_recovery = B_TRUE; 1304 (void) zone_halt(zlogp, B_FALSE, B_TRUE, 1305 zstate); 1306 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1307 } 1308 boot_args[0] = '\0'; 1309 break; 1310 case Z_HALT: 1311 if (kernelcall) /* Invalid; can't happen */ 1312 abort(); 1313 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate)) 1314 != 0) 1315 break; 1316 eventstream_write(Z_EVT_ZONE_HALTED); 1317 break; 1318 case Z_REBOOT: 1319 case Z_NOTE_UNINSTALLING: 1320 case Z_MOUNT: 1321 case Z_UNMOUNT: 1322 if (kernelcall) /* Invalid; can't happen */ 1323 abort(); 1324 zerror(zlogp, B_FALSE, "%s operation is invalid " 1325 "for zones in state '%s'", z_cmd_name(cmd), 1326 zone_state_str(zstate)); 1327 rval = -1; 1328 break; 1329 } 1330 break; 1331 1332 case ZONE_STATE_MOUNTED: 1333 switch (cmd) { 1334 case Z_UNMOUNT: 1335 if (kernelcall) /* Invalid; can't happen */ 1336 abort(); 1337 rval = zone_halt(zlogp, B_TRUE, B_FALSE, zstate); 1338 if (rval == 0) { 1339 eventstream_write(Z_EVT_ZONE_HALTED); 1340 (void) sema_post(&scratch_sem); 1341 } 1342 break; 1343 default: 1344 if (kernelcall) /* Invalid; can't happen */ 1345 abort(); 1346 zerror(zlogp, B_FALSE, "%s operation is invalid " 1347 "for zones in state '%s'", z_cmd_name(cmd), 1348 zone_state_str(zstate)); 1349 rval = -1; 1350 break; 1351 } 1352 break; 1353 1354 case ZONE_STATE_RUNNING: 1355 case ZONE_STATE_SHUTTING_DOWN: 1356 case ZONE_STATE_DOWN: 1357 switch (cmd) { 1358 case Z_READY: 1359 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate)) 1360 != 0) 1361 break; 1362 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) == 0) 1363 eventstream_write(Z_EVT_ZONE_READIED); 1364 else 1365 eventstream_write(Z_EVT_ZONE_HALTED); 1366 break; 1367 case Z_BOOT: 1368 /* 1369 * We could have two clients racing to boot this 1370 * zone; the second client loses, but his request 1371 * doesn't fail, since the zone is now in the desired 1372 * state. 1373 */ 1374 zerror(zlogp, B_FALSE, "zone is already booted"); 1375 rval = 0; 1376 break; 1377 case Z_HALT: 1378 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate)) 1379 != 0) 1380 break; 1381 eventstream_write(Z_EVT_ZONE_HALTED); 1382 break; 1383 case Z_REBOOT: 1384 (void) strlcpy(boot_args, zargp->bootbuf, 1385 sizeof (boot_args)); 1386 eventstream_write(Z_EVT_ZONE_REBOOTING); 1387 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate)) 1388 != 0) { 1389 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1390 boot_args[0] = '\0'; 1391 break; 1392 } 1393 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) 1394 != 0) { 1395 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1396 boot_args[0] = '\0'; 1397 break; 1398 } 1399 rval = zone_bootup(zlogp, zargp->bootbuf, zstate); 1400 audit_put_record(zlogp, uc, rval, "reboot"); 1401 if (rval != 0) { 1402 (void) zone_halt(zlogp, B_FALSE, B_TRUE, 1403 zstate); 1404 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1405 } 1406 boot_args[0] = '\0'; 1407 break; 1408 case Z_NOTE_UNINSTALLING: 1409 case Z_MOUNT: 1410 case Z_UNMOUNT: 1411 zerror(zlogp, B_FALSE, "%s operation is invalid " 1412 "for zones in state '%s'", z_cmd_name(cmd), 1413 zone_state_str(zstate)); 1414 rval = -1; 1415 break; 1416 } 1417 break; 1418 default: 1419 abort(); 1420 } 1421 1422 /* 1423 * Because the state of the zone may have changed, we make sure 1424 * to wake the console poller, which is in charge of initiating 1425 * the shutdown procedure as necessary. 1426 */ 1427 eventstream_write(Z_EVT_NULL); 1428 1429 out: 1430 (void) mutex_unlock(&lock); 1431 if (kernelcall) { 1432 rvalp = NULL; 1433 rlen = 0; 1434 } else { 1435 rvalp->rval = rval; 1436 } 1437 if (uc != NULL) 1438 ucred_free(uc); 1439 (void) door_return((char *)rvalp, rlen, NULL, 0); 1440 thr_exit(NULL); 1441 } 1442 1443 static int 1444 setup_door(zlog_t *zlogp) 1445 { 1446 if ((zone_door = door_create(server, NULL, 1447 DOOR_UNREF | DOOR_REFUSE_DESC | DOOR_NO_CANCEL)) < 0) { 1448 zerror(zlogp, B_TRUE, "%s failed", "door_create"); 1449 return (-1); 1450 } 1451 (void) fdetach(zone_door_path); 1452 1453 if (fattach(zone_door, zone_door_path) != 0) { 1454 zerror(zlogp, B_TRUE, "fattach to %s failed", zone_door_path); 1455 (void) door_revoke(zone_door); 1456 (void) fdetach(zone_door_path); 1457 zone_door = -1; 1458 return (-1); 1459 } 1460 return (0); 1461 } 1462 1463 /* 1464 * zoneadm(1m) will start zoneadmd if it thinks it isn't running; this 1465 * is where zoneadmd itself will check to see that another instance of 1466 * zoneadmd isn't already controlling this zone. 1467 * 1468 * The idea here is that we want to open the path to which we will 1469 * attach our door, lock it, and then make sure that no-one has beat us 1470 * to fattach(3c)ing onto it. 1471 * 1472 * fattach(3c) is really a mount, so there are actually two possible 1473 * vnodes we could be dealing with. Our strategy is as follows: 1474 * 1475 * - If the file we opened is a regular file (common case): 1476 * There is no fattach(3c)ed door, so we have a chance of becoming 1477 * the managing zoneadmd. We attempt to lock the file: if it is 1478 * already locked, that means someone else raced us here, so we 1479 * lose and give up. zoneadm(1m) will try to contact the zoneadmd 1480 * that beat us to it. 1481 * 1482 * - If the file we opened is a namefs file: 1483 * This means there is already an established door fattach(3c)'ed 1484 * to the rendezvous path. We've lost the race, so we give up. 1485 * Note that in this case we also try to grab the file lock, and 1486 * will succeed in acquiring it since the vnode locked by the 1487 * "winning" zoneadmd was a regular one, and the one we locked was 1488 * the fattach(3c)'ed door node. At any rate, no harm is done, and 1489 * we just return to zoneadm(1m) which knows to retry. 1490 */ 1491 static int 1492 make_daemon_exclusive(zlog_t *zlogp) 1493 { 1494 int doorfd = -1; 1495 int err, ret = -1; 1496 struct stat st; 1497 struct flock flock; 1498 zone_state_t zstate; 1499 1500 top: 1501 if ((err = zone_get_state(zone_name, &zstate)) != Z_OK) { 1502 zerror(zlogp, B_FALSE, "failed to get zone state: %s", 1503 zonecfg_strerror(err)); 1504 goto out; 1505 } 1506 if ((doorfd = open(zone_door_path, O_CREAT|O_RDWR, 1507 S_IREAD|S_IWRITE)) < 0) { 1508 zerror(zlogp, B_TRUE, "failed to open %s", zone_door_path); 1509 goto out; 1510 } 1511 if (fstat(doorfd, &st) < 0) { 1512 zerror(zlogp, B_TRUE, "failed to stat %s", zone_door_path); 1513 goto out; 1514 } 1515 /* 1516 * Lock the file to synchronize with other zoneadmd 1517 */ 1518 flock.l_type = F_WRLCK; 1519 flock.l_whence = SEEK_SET; 1520 flock.l_start = (off_t)0; 1521 flock.l_len = (off_t)0; 1522 if (fcntl(doorfd, F_SETLK, &flock) < 0) { 1523 /* 1524 * Someone else raced us here and grabbed the lock file 1525 * first. A warning here is inappropriate since nothing 1526 * went wrong. 1527 */ 1528 goto out; 1529 } 1530 1531 if (strcmp(st.st_fstype, "namefs") == 0) { 1532 struct door_info info; 1533 1534 /* 1535 * There is already something fattach()'ed to this file. 1536 * Lets see what the door is up to. 1537 */ 1538 if (door_info(doorfd, &info) == 0 && info.di_target != -1) { 1539 /* 1540 * Another zoneadmd process seems to be in 1541 * control of the situation and we don't need to 1542 * be here. A warning here is inappropriate 1543 * since nothing went wrong. 1544 * 1545 * If the door has been revoked, the zoneadmd 1546 * process currently managing the zone is going 1547 * away. We'll return control to zoneadm(1m) 1548 * which will try again (by which time zoneadmd 1549 * will hopefully have exited). 1550 */ 1551 goto out; 1552 } 1553 1554 /* 1555 * If we got this far, there's a fattach(3c)'ed door 1556 * that belongs to a process that has exited, which can 1557 * happen if the previous zoneadmd died unexpectedly. 1558 * 1559 * Let user know that something is amiss, but that we can 1560 * recover; if the zone is in the installed state, then don't 1561 * message, since having a running zoneadmd isn't really 1562 * expected/needed. We want to keep occurences of this message 1563 * limited to times when zoneadmd is picking back up from a 1564 * zoneadmd that died while the zone was in some non-trivial 1565 * state. 1566 */ 1567 if (zstate > ZONE_STATE_INSTALLED) { 1568 zerror(zlogp, B_FALSE, 1569 "zone '%s': WARNING: zone is in state '%s', but " 1570 "zoneadmd does not appear to be available; " 1571 "restarted zoneadmd to recover.", 1572 zone_name, zone_state_str(zstate)); 1573 } 1574 1575 (void) fdetach(zone_door_path); 1576 (void) close(doorfd); 1577 goto top; 1578 } 1579 ret = 0; 1580 out: 1581 (void) close(doorfd); 1582 return (ret); 1583 } 1584 1585 /* 1586 * Setup the brand's pre and post state change callbacks, as well as the 1587 * query callback, if any of these exist. 1588 */ 1589 static int 1590 brand_callback_init(brand_handle_t bh, char *zone_name) 1591 { 1592 char zpath[MAXPATHLEN]; 1593 1594 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) 1595 return (-1); 1596 1597 (void) strlcpy(pre_statechg_hook, EXEC_PREFIX, 1598 sizeof (pre_statechg_hook)); 1599 1600 if (brand_get_prestatechange(bh, zone_name, zpath, 1601 pre_statechg_hook + EXEC_LEN, 1602 sizeof (pre_statechg_hook) - EXEC_LEN) != 0) 1603 return (-1); 1604 1605 if (strlen(pre_statechg_hook) <= EXEC_LEN) 1606 pre_statechg_hook[0] = '\0'; 1607 1608 (void) strlcpy(post_statechg_hook, EXEC_PREFIX, 1609 sizeof (post_statechg_hook)); 1610 1611 if (brand_get_poststatechange(bh, zone_name, zpath, 1612 post_statechg_hook + EXEC_LEN, 1613 sizeof (post_statechg_hook) - EXEC_LEN) != 0) 1614 return (-1); 1615 1616 if (strlen(post_statechg_hook) <= EXEC_LEN) 1617 post_statechg_hook[0] = '\0'; 1618 1619 (void) strlcpy(query_hook, EXEC_PREFIX, 1620 sizeof (query_hook)); 1621 1622 if (brand_get_query(bh, zone_name, zpath, query_hook + EXEC_LEN, 1623 sizeof (query_hook) - EXEC_LEN) != 0) 1624 return (-1); 1625 1626 if (strlen(query_hook) <= EXEC_LEN) 1627 query_hook[0] = '\0'; 1628 1629 return (0); 1630 } 1631 1632 int 1633 main(int argc, char *argv[]) 1634 { 1635 int opt; 1636 zoneid_t zid; 1637 priv_set_t *privset; 1638 zone_state_t zstate; 1639 char parents_locale[MAXPATHLEN]; 1640 brand_handle_t bh; 1641 int err; 1642 1643 pid_t pid; 1644 sigset_t blockset; 1645 sigset_t block_cld; 1646 1647 struct { 1648 sema_t sem; 1649 int status; 1650 zlog_t log; 1651 } *shstate; 1652 size_t shstatelen = getpagesize(); 1653 1654 zlog_t errlog; 1655 zlog_t *zlogp; 1656 1657 int ctfd; 1658 1659 progname = get_execbasename(argv[0]); 1660 1661 /* 1662 * Make sure stderr is unbuffered 1663 */ 1664 (void) setbuffer(stderr, NULL, 0); 1665 1666 /* 1667 * Get out of the way of mounted filesystems, since we will daemonize 1668 * soon. 1669 */ 1670 (void) chdir("/"); 1671 1672 /* 1673 * Use the default system umask per PSARC 1998/110 rather than 1674 * anything that may have been set by the caller. 1675 */ 1676 (void) umask(CMASK); 1677 1678 /* 1679 * Initially we want to use our parent's locale. 1680 */ 1681 (void) setlocale(LC_ALL, ""); 1682 (void) textdomain(TEXT_DOMAIN); 1683 (void) strlcpy(parents_locale, setlocale(LC_MESSAGES, NULL), 1684 sizeof (parents_locale)); 1685 1686 /* 1687 * This zlog_t is used for writing to stderr 1688 */ 1689 errlog.logfile = stderr; 1690 errlog.buflen = errlog.loglen = 0; 1691 errlog.buf = errlog.log = NULL; 1692 errlog.locale = parents_locale; 1693 1694 /* 1695 * We start off writing to stderr until we're ready to daemonize. 1696 */ 1697 zlogp = &errlog; 1698 1699 /* 1700 * Process options. 1701 */ 1702 while ((opt = getopt(argc, argv, "R:z:")) != EOF) { 1703 switch (opt) { 1704 case 'R': 1705 zonecfg_set_root(optarg); 1706 break; 1707 case 'z': 1708 zone_name = optarg; 1709 break; 1710 default: 1711 usage(); 1712 } 1713 } 1714 1715 if (zone_name == NULL) 1716 usage(); 1717 1718 /* 1719 * Because usage() prints directly to stderr, it has gettext() 1720 * wrapping, which depends on the locale. But since zerror() calls 1721 * localize() which tweaks the locale, it is not safe to call zerror() 1722 * until after the last call to usage(). Fortunately, the last call 1723 * to usage() is just above and the first call to zerror() is just 1724 * below. Don't mess this up. 1725 */ 1726 if (strcmp(zone_name, GLOBAL_ZONENAME) == 0) { 1727 zerror(zlogp, B_FALSE, "cannot manage the %s zone", 1728 GLOBAL_ZONENAME); 1729 return (1); 1730 } 1731 1732 if (zone_get_id(zone_name, &zid) != 0) { 1733 zerror(zlogp, B_FALSE, "could not manage %s: %s", zone_name, 1734 zonecfg_strerror(Z_NO_ZONE)); 1735 return (1); 1736 } 1737 1738 if ((err = zone_get_state(zone_name, &zstate)) != Z_OK) { 1739 zerror(zlogp, B_FALSE, "failed to get zone state: %s", 1740 zonecfg_strerror(err)); 1741 return (1); 1742 } 1743 if (zstate < ZONE_STATE_INCOMPLETE) { 1744 zerror(zlogp, B_FALSE, 1745 "cannot manage a zone which is in state '%s'", 1746 zone_state_str(zstate)); 1747 return (1); 1748 } 1749 1750 /* Get a handle to the brand info for this zone */ 1751 if (zone_get_brand(zone_name, brand_name, sizeof (brand_name)) 1752 != Z_OK) { 1753 zerror(zlogp, B_FALSE, "unable to determine zone brand"); 1754 return (1); 1755 } 1756 zone_isnative = (strcmp(brand_name, NATIVE_BRAND_NAME) == 0); 1757 zone_islabeled = (strcmp(brand_name, LABELED_BRAND_NAME) == 0); 1758 1759 /* 1760 * In the alternate root environment, the only supported 1761 * operations are mount and unmount. In this case, just treat 1762 * the zone as native if it is cluster. Cluster zones can be 1763 * native for the purpose of LU or upgrade, and the cluster 1764 * brand may not exist in the miniroot (such as in net install 1765 * upgrade). 1766 */ 1767 if (strcmp(brand_name, CLUSTER_BRAND_NAME) == 0) { 1768 zone_iscluster = B_TRUE; 1769 if (zonecfg_in_alt_root()) { 1770 (void) strlcpy(brand_name, NATIVE_BRAND_NAME, 1771 sizeof (brand_name)); 1772 } 1773 } else { 1774 zone_iscluster = B_FALSE; 1775 } 1776 1777 if ((bh = brand_open(brand_name)) == NULL) { 1778 zerror(zlogp, B_FALSE, "unable to open zone brand"); 1779 return (1); 1780 } 1781 1782 /* Get state change brand hooks. */ 1783 if (brand_callback_init(bh, zone_name) == -1) { 1784 zerror(zlogp, B_TRUE, 1785 "failed to initialize brand state change hooks"); 1786 brand_close(bh); 1787 return (1); 1788 } 1789 1790 brand_close(bh); 1791 1792 /* 1793 * Check that we have all privileges. It would be nice to pare 1794 * this down, but this is at least a first cut. 1795 */ 1796 if ((privset = priv_allocset()) == NULL) { 1797 zerror(zlogp, B_TRUE, "%s failed", "priv_allocset"); 1798 return (1); 1799 } 1800 1801 if (getppriv(PRIV_EFFECTIVE, privset) != 0) { 1802 zerror(zlogp, B_TRUE, "%s failed", "getppriv"); 1803 priv_freeset(privset); 1804 return (1); 1805 } 1806 1807 if (priv_isfullset(privset) == B_FALSE) { 1808 zerror(zlogp, B_FALSE, "You lack sufficient privilege to " 1809 "run this command (all privs required)"); 1810 priv_freeset(privset); 1811 return (1); 1812 } 1813 priv_freeset(privset); 1814 1815 if (mkzonedir(zlogp) != 0) 1816 return (1); 1817 1818 /* 1819 * Pre-fork: setup shared state 1820 */ 1821 if ((shstate = (void *)mmap(NULL, shstatelen, 1822 PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANON, -1, (off_t)0)) == 1823 MAP_FAILED) { 1824 zerror(zlogp, B_TRUE, "%s failed", "mmap"); 1825 return (1); 1826 } 1827 if (sema_init(&shstate->sem, 0, USYNC_PROCESS, NULL) != 0) { 1828 zerror(zlogp, B_TRUE, "%s failed", "sema_init()"); 1829 (void) munmap((char *)shstate, shstatelen); 1830 return (1); 1831 } 1832 shstate->log.logfile = NULL; 1833 shstate->log.buflen = shstatelen - sizeof (*shstate); 1834 shstate->log.loglen = shstate->log.buflen; 1835 shstate->log.buf = (char *)shstate + sizeof (*shstate); 1836 shstate->log.log = shstate->log.buf; 1837 shstate->log.locale = parents_locale; 1838 shstate->status = -1; 1839 1840 /* 1841 * We need a SIGCHLD handler so the sema_wait() below will wake 1842 * up if the child dies without doing a sema_post(). 1843 */ 1844 (void) sigset(SIGCHLD, sigchld); 1845 /* 1846 * We must mask SIGCHLD until after we've coped with the fork 1847 * sufficiently to deal with it; otherwise we can race and 1848 * receive the signal before pid has been initialized 1849 * (yes, this really happens). 1850 */ 1851 (void) sigemptyset(&block_cld); 1852 (void) sigaddset(&block_cld, SIGCHLD); 1853 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL); 1854 1855 if ((ctfd = init_template()) == -1) { 1856 zerror(zlogp, B_TRUE, "failed to create contract"); 1857 return (1); 1858 } 1859 1860 /* 1861 * Do not let another thread localize a message while we are forking. 1862 */ 1863 (void) mutex_lock(&msglock); 1864 pid = fork(); 1865 (void) mutex_unlock(&msglock); 1866 1867 /* 1868 * In all cases (parent, child, and in the event of an error) we 1869 * don't want to cause creation of contracts on subsequent fork()s. 1870 */ 1871 (void) ct_tmpl_clear(ctfd); 1872 (void) close(ctfd); 1873 1874 if (pid == -1) { 1875 zerror(zlogp, B_TRUE, "could not fork"); 1876 return (1); 1877 1878 } else if (pid > 0) { /* parent */ 1879 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL); 1880 /* 1881 * This marks a window of vulnerability in which we receive 1882 * the SIGCLD before falling into sema_wait (normally we would 1883 * get woken up from sema_wait with EINTR upon receipt of 1884 * SIGCLD). So we may need to use some other scheme like 1885 * sema_posting in the sigcld handler. 1886 * blech 1887 */ 1888 (void) sema_wait(&shstate->sem); 1889 (void) sema_destroy(&shstate->sem); 1890 if (shstate->status != 0) 1891 (void) waitpid(pid, NULL, WNOHANG); 1892 /* 1893 * It's ok if we die with SIGPIPE. It's not like we could have 1894 * done anything about it. 1895 */ 1896 (void) fprintf(stderr, "%s", shstate->log.buf); 1897 _exit(shstate->status == 0 ? 0 : 1); 1898 } 1899 1900 /* 1901 * The child charges on. 1902 */ 1903 (void) sigset(SIGCHLD, SIG_DFL); 1904 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL); 1905 1906 /* 1907 * SIGPIPE can be delivered if we write to a socket for which the 1908 * peer endpoint is gone. That can lead to too-early termination 1909 * of zoneadmd, and that's not good eats. 1910 */ 1911 (void) sigset(SIGPIPE, SIG_IGN); 1912 /* 1913 * Stop using stderr 1914 */ 1915 zlogp = &shstate->log; 1916 1917 /* 1918 * We don't need stdout/stderr from now on. 1919 */ 1920 closefrom(0); 1921 1922 /* 1923 * Initialize the syslog zlog_t. This needs to be done after 1924 * the call to closefrom(). 1925 */ 1926 logsys.buf = logsys.log = NULL; 1927 logsys.buflen = logsys.loglen = 0; 1928 logsys.logfile = NULL; 1929 logsys.locale = DEFAULT_LOCALE; 1930 1931 openlog("zoneadmd", LOG_PID, LOG_DAEMON); 1932 1933 /* 1934 * The eventstream is used to publish state changes in the zone 1935 * from the door threads to the console I/O poller. 1936 */ 1937 if (eventstream_init() == -1) { 1938 zerror(zlogp, B_TRUE, "unable to create eventstream"); 1939 goto child_out; 1940 } 1941 1942 (void) snprintf(zone_door_path, sizeof (zone_door_path), 1943 "%s" ZONE_DOOR_PATH, zonecfg_get_root(), zone_name); 1944 1945 /* 1946 * See if another zoneadmd is running for this zone. If not, then we 1947 * can now modify system state. 1948 */ 1949 if (make_daemon_exclusive(zlogp) == -1) 1950 goto child_out; 1951 1952 1953 /* 1954 * Create/join a new session; we need to be careful of what we do with 1955 * the console from now on so we don't end up being the session leader 1956 * for the terminal we're going to be handing out. 1957 */ 1958 (void) setsid(); 1959 1960 /* 1961 * This thread shouldn't be receiving any signals; in particular, 1962 * SIGCHLD should be received by the thread doing the fork(). 1963 */ 1964 (void) sigfillset(&blockset); 1965 (void) thr_sigsetmask(SIG_BLOCK, &blockset, NULL); 1966 1967 /* 1968 * Setup the console device and get ready to serve the console; 1969 * once this has completed, we're ready to let console clients 1970 * make an attempt to connect (they will block until 1971 * serve_console_sock() below gets called, and any pending 1972 * connection is accept()ed). 1973 */ 1974 if (!zonecfg_in_alt_root() && init_console(zlogp) < 0) 1975 goto child_out; 1976 1977 /* 1978 * Take the lock now, so that when the door server gets going, we 1979 * are guaranteed that it won't take a request until we are sure 1980 * that everything is completely set up. See the child_out: label 1981 * below to see why this matters. 1982 */ 1983 (void) mutex_lock(&lock); 1984 1985 /* Init semaphore for scratch zones. */ 1986 if (sema_init(&scratch_sem, 0, USYNC_THREAD, NULL) == -1) { 1987 zerror(zlogp, B_TRUE, 1988 "failed to initialize semaphore for scratch zone"); 1989 goto child_out; 1990 } 1991 1992 /* open the dladm handle */ 1993 if (dladm_open(&dld_handle) != DLADM_STATUS_OK) { 1994 zerror(zlogp, B_FALSE, "failed to open dladm handle"); 1995 goto child_out; 1996 } 1997 1998 /* 1999 * Note: door setup must occur *after* the console is setup. 2000 * This is so that as zlogin tests the door to see if zoneadmd 2001 * is ready yet, we know that the console will get serviced 2002 * once door_info() indicates that the door is "up". 2003 */ 2004 if (setup_door(zlogp) == -1) 2005 goto child_out; 2006 2007 /* 2008 * Things seem OK so far; tell the parent process that we're done 2009 * with setup tasks. This will cause the parent to exit, signalling 2010 * to zoneadm, zlogin, or whatever forked it that we are ready to 2011 * service requests. 2012 */ 2013 shstate->status = 0; 2014 (void) sema_post(&shstate->sem); 2015 (void) munmap((char *)shstate, shstatelen); 2016 shstate = NULL; 2017 2018 (void) mutex_unlock(&lock); 2019 2020 /* 2021 * zlogp is now invalid, so reset it to the syslog logger. 2022 */ 2023 zlogp = &logsys; 2024 2025 /* 2026 * Now that we are free of any parents, switch to the default locale. 2027 */ 2028 (void) setlocale(LC_ALL, DEFAULT_LOCALE); 2029 2030 /* 2031 * At this point the setup portion of main() is basically done, so 2032 * we reuse this thread to manage the zone console. When 2033 * serve_console() has returned, we are past the point of no return 2034 * in the life of this zoneadmd. 2035 */ 2036 if (zonecfg_in_alt_root()) { 2037 /* 2038 * This is just awful, but mounted scratch zones don't (and 2039 * can't) have consoles. We just wait for unmount instead. 2040 */ 2041 while (sema_wait(&scratch_sem) == EINTR) 2042 ; 2043 } else { 2044 serve_console(zlogp); 2045 assert(in_death_throes); 2046 } 2047 2048 /* 2049 * This is the next-to-last part of the exit interlock. Upon calling 2050 * fdetach(), the door will go unreferenced; once any 2051 * outstanding requests (like the door thread doing Z_HALT) are 2052 * done, the door will get an UNREF notification; when it handles 2053 * the UNREF, the door server will cause the exit. 2054 */ 2055 assert(!MUTEX_HELD(&lock)); 2056 (void) fdetach(zone_door_path); 2057 2058 for (;;) 2059 (void) pause(); 2060 2061 child_out: 2062 assert(pid == 0); 2063 if (shstate != NULL) { 2064 shstate->status = -1; 2065 (void) sema_post(&shstate->sem); 2066 (void) munmap((char *)shstate, shstatelen); 2067 } 2068 2069 /* 2070 * This might trigger an unref notification, but if so, 2071 * we are still holding the lock, so our call to exit will 2072 * ultimately win the race and will publish the right exit 2073 * code. 2074 */ 2075 if (zone_door != -1) { 2076 assert(MUTEX_HELD(&lock)); 2077 (void) door_revoke(zone_door); 2078 (void) fdetach(zone_door_path); 2079 } 2080 2081 if (dld_handle != NULL) 2082 dladm_close(dld_handle); 2083 2084 return (1); /* return from main() forcibly exits an MT process */ 2085 } 2086